openstack team mailing list archive

Thread
Date

Re: Swift ACL can't work in RHEL6.1

To: Chmouel Boudjnah <Chmouel.Boudjnah@xxxxxxxxxxxxxxx>
From: Li Hua <neakli@xxxxxxxxx>
Date: Fri, 4 Nov 2011 00:38:46 +0800
Cc: "<openstack@xxxxxxxxxxxxxxxxxxx>" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <3CF6A74F-40EA-4CB1-9A87-C45642B323C2@rackspace.co.uk>

Hi Chmouel,

Thank you for your information.

I installed swift-keystone2 and modified proxy-server.conf.

BUT authentication maybe not work well. for example, I want to check demo's
status using the
following command.

[root@node01 ~]# swift -A http://127.0.0.1:5000/v1.0 -U demo -K password
stat

Account HEAD failed: http://api.cloud.com:8080/v1/AUTH_2 403 Forbidden

[root@node01 ~]# swift -A http://127.0.0.1:5000/v1.0 -U demo -K password
post test_container

Container POST failed:
http://api.cloud.com:8080/v1/AUTH_2/test_container403 Forbidden

ALL operation (HEAD/PUT/POST/GET) will be returned with 403 Forbidden.

But if I change proxy-server.conf back to the old config.  ALL operation
(HEAD/PUT/POST/GET)
are ok.

Keystone version:  openstack-keystone-2011.3-b475.noarch
Swift version:
openstack-swift-1.4.3-b447.noarch
openstack-swift-account-1.4.3-b447.noarch
openstack-swift-proxy-1.4.3-b447.noarch
openstack-swift-object-1.4.3-b447.noarch
openstack-swift-container-1.4.3-b447.noarch

proxy-server.conf
[DEFAULT]
bind_port = 8080
user = swift

[pipeline:main]
pipeline = catch_errors cache keystone2 proxy-server

[app:proxy-server]
use = egg:swift#proxy
account_autocreate = true
log_facility = LOG_LOCAL1
log_level = DEBUG

[filter:keystone2]
use = egg:swiftkeystone2#keystone2
keystone_admin_token = 999888777666
keystone_url = http://127.0.0.1:5001/v2.0   ( 5001 for admin  api port,
5000 for service api port)

[filter:cache]
use = egg:swift#memcache
set log_name = cache

[filter:catch_errors]
use = egg:swift#catch_errors


Does it need to upgrade keystone to the latest version ?  How to debug
keystone2 ?


Regards,
Li Hua



On Thu, Nov 3, 2011 at 3:29 PM, Chmouel Boudjnah <
Chmouel.Boudjnah@xxxxxxxxxxxxxxx> wrote:

>  Hi Li,
>
>  Swift middleware shipped with keystone doesn't support ACL, you may want
> to try this middleware  instead :
>
>  https://github.com/cloudbuilders/swift-keystone2
>
>  Chmouel.
>
>  On 3 Nov 2011, at 05:45, Li Hua wrote:
>
>   Hi Folks,
>
>  I set up a SAIO test environment in RHEL6.1 using openstack-swift-1.4.3-b447.noarch
> from
>  http://yum.griddynamics.net/yum/diablo-centos/ .
>
>  I want to test the container Read/Write access permission using the
> following steps.
>
>  Creating a container with read access permission for anyone.
>
>  [root@node01 ~]# swift -A http://127.0.0.1:5000/v1.0 -U demo -K password
> post -r '.r:*' testcontainer
>
>
>  Checking the stat of container:
>
>  [root@node01 ~]# swift -A http://127.0.0.1:5000/v1.0 -U demo -K password
> stat testcontainer  Account: AUTH_2
> Container: testcontainer
>   Objects: 0
>     Bytes: 0
>  Read ACL:
> Write ACL:
>   Sync To:
>  Sync Key:
> Accept-Ranges: bytes
> X-Trans-Id: tx1c0e9c6220ea433a90713c160a88b33f
>
>
>  It seems that  testcontainer still has no Read ACL.   Any comments ?
>  thanks.
>
>
>  Regards,
> Li Hua
>
>
>
>   Chmouel Boudjnah
> Cloud Product Engineer [image: experience Fanatical Support] [image: LINE] Tel:
> +442087344212Fax: +44 20 8606 6111Web:www.rackspace.co.uk [image:
> Rackspace]
>
> [image: Follow us on twitter] <http://www.twitter.com/rackspaceemea/>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>

Follow ups

Re: Swift ACL can't work in RHEL6.1
From: Chmouel Boudjnah, 2011-11-05

References

Swift ACL can't work in RHEL6.1
From: Li Hua, 2011-11-03
Re: Swift ACL can't work in RHEL6.1
From: Chmouel Boudjnah, 2011-11-03